multiple rootkits detected: false positive?

[art13]

Hi,

I use Avast home on a Packardbell pc running windows XP professional sp3. I have a problem much similar to these:

http://forum.avast.com/index.php?topic=40382.0

http://forum.avast.com/index.php?topic=40612.0

http://forum.avast.com/index.php?topic=40309.0

http://forum.avast.com/index.php?topic=40273.0

After updating Avast to 4.8.1296 an on-demand scan keeps reporting multiple rootkits using heuristic scan method. After choosing the “delete” option Avast advises a boot-scan which doesn’t find any problem.

I also scanned with:

-Avast anti-rootkit (also in advanced mode)
-F-secure Blacklight
-Trend micro Rootkitbuster

-Symantec security-check
-Bitdefender online-scan

They all don’t find any problem. Avast still does.

After this I formatted my harddisk and did a clean install of windows. Then I installed Avast. It keeps reporting multiple rootkits.

May I assume after these rigorous measures these rootkit reports are false positive?

And if they are how can I report this to the Alwil-labo, to solve the problem? I think the suspected files are not sent to them because the Avast-log reports: “Internal error has occurred in module bas Encode File To submit failed”.

Hope anyone can give me advice.

Art

[Lisandro]

Seems indeed false positives...
For rootkits, right now, can you help? http://forum.avast.com/index.php?topic=40382.msg344375#msg344375

[DavidR]

If you can post the file names and locations of the detected files, a little about your system, laptop/desktop, manufacturer, OS, etc.

If you can help with the remote link it could help clear it up quicker.

[art13]

About the remote acces: rather not. I'm sorry.

My system:

-Packardbell desktop
-Pentium III 800mhz
-320Mb ram
-Windows XP professional sp3 (no OEM, computer originally ran on Windows 98se)
-Zonealarm firewall
-Lavasoft Adaware anti-spyware

Below are the results of a scan exported from the log. I'll try to post the second scan in the next reply (exceded 10000 characters).Note that the results are different. The first scan was just after installing windows (13-12-08). The second after updating windows and installing all the other software I use (15-12-08). The results of the second scan are since then replicated.

Art

13-12-2008 21:41:47      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\3\mdigraph.dll" file.  
13-12-2008 21:41:48      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\3\mdiui.dll" file.  
13-12-2008 21:41:49      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\mdigraph.dll" file.  
13-12-2008 21:41:50      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\mdiui.dll" file.  
13-12-2008 21:41:53      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolsv.exe\prtprocs\w32x86\mdippr.dll" file.  
13-12-2008 21:42:01      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\3\mdigraph.dll" file.  
13-12-2008 21:42:02      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\3\mdiui.dll" file.  
13-12-2008 21:42:03      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\mdigraph.dll" file.  
13-12-2008 21:42:04      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\mdiui.dll" file.  
13-12-2008 21:42:07      2676   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\system32\spoolss.dll\prtprocs\w32x86\mdippr.dll" file.  
13-12-2008 21:45:30      2676   Sign of "" has been found in "C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\3\mdigraph.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\3\mdiui.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\mdigraph.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\mdiui.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolsv.exe\prtprocs\w32x86\mdippr.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\3\mdigraph.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\3\mdiui.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\mdigraph.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\mdiui.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||C:\WINDOWS\system32\spoolss.dll\prtprocs\w32x86\mdippr.dll||AntiRootkit [FILE]|||100000|0|2|COO1||COO2||" file.  

[art13]

Little part of second scan (goes on fourteen pages, to much to post)

15-12-2008 20:09:04      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll" file. 
15-12-2008 20:09:06      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll" file. 
15-12-2008 20:09:07      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll" file. 
15-12-2008 20:09:08      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll" file. 
15-12-2008 20:09:10      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll" file. 
15-12-2008 20:09:11      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll" file. 
15-12-2008 20:09:13      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\CustomMarshalers.dll" file. 
15-12-2008 20:09:14      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\Accessibility.dll" file. 
15-12-2008 20:09:16      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\System.Configuration.Install.dll" file. 
15-12-2008 20:09:17      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.Design.dll" file. 
15-12-2008 20:09:19      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\IIEHost.dll" file. 
15-12-2008 20:09:20      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\ISymWrapper.dll" file. 
15-12-2008 20:09:22      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\mscorcfg\1.0.5000.0__b03f5f7f11d50a3a\mscorcfg.dll" file. 
15-12-2008 20:09:24      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript.resources\7.0.5000.0_nl_b03f5f7f11d50a3a\Microsoft.Jscript.resources.dll" file. 
15-12-2008 20:09:25      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\7.0.5000.0_nl_b03f5f7f11d50a3a\Microsoft.VisualBasic.resources.dll" file. 
15-12-2008 20:09:27      3612   Sign of "Rootkit: hidden file" has been found in "C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.resources\1.0.5000.0_nl_b03f5f7f11d50a3a\System.DirectoryServices.resources.dll" file. 

[art13]

Lucky me! 

Apart from the rootkit problem I have on my Packardbell-desktop a laptop computer I’m taking care of shows almost the same behaviour. This time it’s an Acer Aspire 3000 machine.

AMD sempron 3000+ 1,80Ghz
512 Mb DDR
Windows XP home sp3 (OEM)
Avast home 4.8.1296
Zonalarm firewall
Lavasoft anti-spyware

After updating from 4.8.1229 to 4.8.1296 I did an on-demand scan again reporting multiple rootkits using heuristic scan method. After choosing the “delete” option Avast advises a boot-scan which doesn’t find any problem.

I also scanned with:

-Avast anti-rootkit (also in advanced mode)
-F-secure Blacklight
-Trend micro Rootkitbuster

-Symantec security-check
-Bitdefender online-scan

They all don’t find any problem.

I think the suspected files are again not sent to the Alwil-labo because the Avast-log reports: “Internal error has occurred in module bas Encode File To submit failed”.

I think these detected rootkits are false positive again. Comparing the Avast-log of the Packardbell-desktop and the Acer-laptop the are some resemblances in folders affected:
(files differ as far as I can see)

C:\WINDOWS\system32\spoolsv.exe\drivers\w32x86\3
C:\WINDOWS\system32\spoolss.dll\drivers\w32x86\3\

Folders both on Packardbell-desktop and Acer-laptop:
(some files differ, some the same)

C:\WINDOWS\assembly\GAC_MSIL\
C:\WINDOWS\assembly\GAC_32

Only at Acer-laptop files from:

C:\WINDOWS\system32\autorun\acer.ico
C:\WINDOWS\system32\spoolss.dll\prtprocs
C:\WINDOWS\system32\spoolss.dll\XPSEP\amd64
C:\WINDOWS\system32\spoolss.dll\XPSEP\i386
C:\WINDOWS\system.ini\
C:\WINDOWS\ie7_main.log\

Complete log report again to big to post

Hope it helps. Merry Christmas.

Art

[Lisandro]

it’s an Acer Aspire 3000 machine.

There is a well known bug with Acer computers.
They're working on it.
Until there, as a workaround, disable rootkit scanning in the Trobleshooting tab of program settings.

[art13]

Hi Tech,

Thank you for your reply. Luckily the problem only comes up running an on-demand scan so I don't need the workaround (yet). Hope if they find a solution it also works for non-Acer systems. We'll see.

Art

[igor]

They're working on it.

Well, as Vlk said here, we are basically waiting for somebody who will be willing to give him a remote access to an affected computer (and it's not completely limited to Acer systems, it seems to occur elsewhere as well, even though less frequently).
We are unable to reproduce the problem on our machines, so there isn't much we can do unless somebody helps us 
It's quite a mystery.

[yare]

Hi. I've been using avast! Home Edition for quite some time now and I find it to be a very good AV. Today I have started a thorough scan (after updating to new version and getting the latest definitions (December 26th 2008)) and have encountered the very same problem as described in this topic -

-Started full scan
-Got heuristic-engine warning regarding spoolss.dll and spoolsv.exe
-selected deny -> got warning that there is a virus in active memory and that boot scan is required -> clicked ok, did entire boot scan, got no warnings there (heuristic or deterministic) and got same heuristic warning/boot scan warning after running another full scan

Malwarebytes, SuperAntiSpyware and S&D scan have found nothing.

As far my machine is concerned I am using Windows 2000 service pack 4 and machine (hardware) in question is custom built PC. Also I do have HP printer drivers installed (HP LaserJet 1010 series) and they are working just fine. Hope this helps .....

Any new info on this?

In the meantime I have disabled rootkit detection in avast! Troubleshooting tab (as it was suggested on this forum - I have other tools to take care of this although I hope to undo this change in avast! as soon as possible) and hopefully this will work for the next full scan.

[Lisandro]

I have disabled rootkit detection in avast! Troubleshooting tab (as it was suggested on this forum - I have other tools to take care of this although I hope to undo this change in avast! as soon as possible) and hopefully this will work for the next full scan.

I suggest this for Acer computers ONLY and while there is no other solution.

[art13]

The problems at both the Packardbell-desktop and Acer-laptop were solved with installing VPS (081229-0)

Both systems were FAT32 formatted.

Art